FOR IMMEDIATE RELEASE: December 3, 2006
As The Holiday Shopping Season Ramps Up Schumer Warns: New No-Swipe Credit Cards Make Identity Theft Easy As 1-2-3
Info Could be Stolen While Card Remains in Pants Pocket or Pocketbook
Unsuspecting Shoppers Using New Cards that Use Radio Frequency Technology Could be Making their Private Information Readily Available; Protection on Cards Varies Widely
Senator Unveils 3-Point Plan Including Higher Encryptions Standards and Clear Warnings on Contracts to Ensure Customer’s Privacy is Not Rip
As the holiday shopping season ramps up, new credit card technology that is being marketed heavily toward New Yorkers is putting consumers at a much higher risk for identity theft. The new technology – no swipe credit cards—promise faster transaction times without the need for swiping the card or signing a receipt. However, these cards allow for personal information to be picked up by would-be thieves using digital eavesdropping technology that is easy to produce. Schumer today warned consumers about this new technology and unveiled a three point plan to ensure that the technology is regulated to ensure protection for consumers. An estimated 20 million no-swipe credit cards have been issued, and the technology is spreading quickly.
“If you are using a no–swipe credit card, when you put your card in your back pocket or in your pocketbook, you might as well print your credit card number across your back,” Schumer said. “Holiday shoppers need to be extremely careful with their credit cards, and these companies need to step up their efforts to protect people from identity theft.”
Over the past two decades, the use of Radio Frequency Identification (RFID) technology has exploded. The RFID system is an automatic identification system that allows data on credit cards and other items to be transmitted by portable “tags.” A tag is a small digital chip containing a transponder and a digital memory chip that holds detailed information on the credit card and its user, including the card holder’s name and the card’s number and expiration date. This chip is embedded in no-swipe credit cards. When customers use these credit cards to make a purchase, the “tagged” card is read and processed by a special RFID reader operated by the retailer or salesperson. The RFID reader is an antenna equipped with a transceiver and decoder, which emits a signal activating and reading the tag and then transferring the data from the credit card to a host computer for processing. When a tag is a short distance from the electromagnetic zone emitted by the RFID reader, the reader detects the tag and accesses its information. RFID readers have grown popular with retailers because it allows them to quickly read a customer’s credit card and process a payment rather than swiping the customer’s credit card and waiting for a signature.
Originating in the 1980s, today RFID systems are commonly used as anti-theft tags attached to merchandise in stores and as animal tracking tags where they are inserted into an animal’s skin. Recently, however, the development of microscopic tags has triggered a proliferation of their usage. In addition to credit card data, the RFID tags can also store personal information including home addresses, social security numbers and even information on an individual’s shopping habits. The United States intends to issue passports that will use RFID technology to store digital photos and personal information about the passport holder. In New York, RFID technology is used in Easy Passes so that money can be deducted upon going through the toll station without having to stop, and more recently has been integrated into the subway system, allowing customers to just tap the turnstyle with their card or wave it over a designated area to get through. The systems work in such a way that once you get in range of an RFID reader it is able to connect with a card.
However, expanding the use of RFID to credit cards has many potential pitfalls – both in terms of security and privacy – that could dog New Yorkers during this holiday season. Whereas traditional credit cards require physical contact to be read, RFID technology broadcast the credit card information to RFID readers, which means thieves operating the readers can intercept the data without ever physically touching the card or alerting the cardholder. Though these cards are advertised as having safe levels of encryption, a recent study done by the University of Massachusetts at Amherst tested 20 cards, all issued in the past year, and showed that encryption levels were not nearly strict enough to keep interlopers out of personal information. They found that a person using a “card skimming” device made with off-the-shelf components and costing as little as $50 could walk around in a crowded place and steal private information from passersby just by passing the reader near a handbag or a wallet. The signal from an RFID tag can pass through clothing and wallets. That same thief could steal information out of mailboxes with the exact same technology, if they walked through a neighborhood under the guise of delivering fliers but using a card skimmer on each of the mailboxes to take data from credit cards in envelopes. Although companies claim that the cards function only at very short distances, RFID readers often function at greater distances than claimed and a stronger antenna can lengthen that distance.
Schumer said today that the proliferation of this technology – in cargo security, on subways, in gas stations and the like – means that identity thieves could benefit from having more opportunities to steal the data. Rather than a piecemeal approach, companies should protect consumers by using the highest levels of security protections possible. Though some companies have worked hard to ensure their cards meet the highest standards such as J.P. Morgan, Citigroup and American Express, others, Schumer said, need to do the same.
In a continuing effort to combat the scourge of identity theft Schumer today unveiled his three point plan to ensure that RFID does not put cardholders at risk for identity theft. The Senator called on the Federal Reserve in consultation with other bank regulators, to protect consumers with the following measures:
• Require a warning box on the contract to explain the vulnerability of the technology. No-swipe cards are commonly marketed as a way to increase convenience, but consumers should be informed of the risks of the RFID technology and credit card companies should disclose the known weaknesses of the technology. The Schumer Box requires basic information about terms of a credit card account such as APR and finance charges. The potential risks of RFID technology should be included as part of this standard consumer information.
• Require higher encryption standards. Some cards currently on the market protect consumers better than others. Schumer called for uniform regulations that will bring all cards up to the highest standards, so that consumers can carry and use the cards without fear.
• Companies must offer the same terms and deals to customers on a regular swipe card as they would offer on the no-swipe cards. Consumers should not be asked to sell their privacy and security in order to get a better deal, especially during the holiday season.